Fix/fixing go sec failures

artifactory_test.go

@@ -6815,7 +6815,7 @@ func setupTestFilesForSearchPatterns(t *testing.T) {
 	tmpFile, err := os.CreateTemp("", "test-file-*.txt")
 	assert.NoError(t, err)
 	defer func(name string) {
-		_ = os.Remove(name)
+		_ = os.Remove(name) // #nosec G703 -- name is from CreateTemp, not user input
 	}(tmpFile.Name())
 	_, err = tmpFile.WriteString("test content")
 	if err != nil {

docker_test.go

@@ -138,7 +138,7 @@ func setupInsecureBuildxBuilder(t *testing.T, builderName string) func() {
   http = true
   insecure = true
 `, registryHost)
-	require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644))
+	require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) /* #nosec G703 -- configPath is constructed from test temp directory, not user input */
 
 	// Remove builder if it exists (stop first, then remove)
 	_ = exec.Command("docker", "buildx", "stop", builderName).Run()
@@ -427,7 +427,7 @@ RUN echo "Built for nested path test"
 CMD ["echo", "Hello from nested path"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */
 
 	// Cleanup old build
 	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, buildName, artHttpDetails)
@@ -515,7 +515,7 @@ RUN echo "This is the nested base image"
 CMD ["echo", "base"]`, alpineBase)
 
 	baseDockerfilePath := filepath.Join(workspace, "Dockerfile.base")
-	assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644))
+	assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644)) /* #nosec G703 -- baseDockerfilePath is constructed from test workspace, not user input */
 
 	// Push base image to nested path
 	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, baseImageBuildName, artHttpDetails)
@@ -538,7 +538,7 @@ RUN echo "This is the child image using nested base"
 CMD ["echo", "child"]`, baseImageTag)
 
 	childDockerfilePath := filepath.Join(workspace, "Dockerfile.child")
-	assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644))
+	assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644)) /* #nosec G703 -- childDockerfilePath is constructed from test workspace, not user input */
 
 	// Build child image
 	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, childBuildName, artHttpDetails)
@@ -1092,7 +1092,7 @@ RUN echo "Hello from test"
 CMD ["sh"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1141,11 +1141,11 @@ RUN echo "Hello from test"
 CMD ["sh"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */
 
 	// Create test file
 	testFilePath := filepath.Join(workspace, "test.txt")
-	assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644))
+	assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) /* #nosec G703 -- testFilePath is constructed from test workspace, not user input */
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1199,7 +1199,7 @@ FROM %s
 CMD ["hello"]`, golangImage, alpineImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1251,7 +1251,7 @@ RUN echo "Built with buildx"
 CMD ["echo", "Hello from buildx"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */
 
 	// Check if buildx is available
 	cmd := exec.Command("docker", "buildx", "version")
@@ -1310,7 +1310,7 @@ RUN echo "Testing virtual repo"
 CMD ["sh"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1455,7 +1455,7 @@ func TestDockerBuildPublishWithCIVcsProps(t *testing.T) {
 CMD ["echo", "Hello from CI VCS test"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */
 
 	// Clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)

general/ai/cli.go

@@ -164,6 +164,7 @@ func sendRestAPI(apiType ApiType, content interface{}) (response string, err err
 		req.Header.Set(askRateLimitHeader, "true")
 	}
 	log.Debug(fmt.Sprintf("Sending HTTP %s request to: %s", req.Method, req.URL))
+	// #nosec G704 -- URL is a constant CLI-AI endpoint, not user-controlled input
 	resp, err := client.GetClient().Do(req)
 	if err != nil {
 		err = errorutils.CheckErrorf("CLI-AI server is not available. Please check your network or try again later.")

general/summary/cli.go

@@ -131,6 +131,7 @@ func saveFile(content, filePath string) (err error) {
 	if content == "" {
 		return nil
 	}
+	// #nosec G703 -- filePath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input
 	file, err := os.Create(filePath)
 	if err != nil {
 		return err
@@ -146,10 +147,12 @@ func saveFile(content, filePath string) (err error) {
 
 func getSectionMarkdownContent(section MarkdownSection) (string, error) {
 	sectionFilepath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(section), markdownFileName)
+	// #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input
 	if _, err := os.Stat(sectionFilepath); os.IsNotExist(err) {
 		return "", nil
 	}
 
+	// #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input
 	contentBytes, err := os.ReadFile(sectionFilepath)
 	if err != nil {
 		return "", fmt.Errorf("error reading markdown file for section %s: %w", section, err)
@@ -280,6 +283,7 @@ func processScan(index commandsummary.Index, filePath string, scannedName string
 // shouldGenerateUploadSummary checks if upload summary should be generated.
 func shouldGenerateUploadSummary() (bool, error) {
 	buildInfoPath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(BuildInfo))
+	// #nosec G703 -- buildInfoPath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input
 	if _, err := os.Stat(buildInfoPath); os.IsNotExist(err) {
 		return true, nil
 	}

lifecycle_test.go

@@ -1713,5 +1713,5 @@ type KeyPairPayload struct {
 	Alias      string `json:"alias,omitempty"`
 	Passphrase string `json:"passphrase,omitempty"`
 	PublicKey  string `json:"publicKey,omitempty"`
-	PrivateKey string `json:"privateKey,omitempty"`
+	PrivateKey string `json:"privateKey,omitempty"` // #nosec G117 -- field name is for JSON serialization, not a hardcoded secret
 }

nuget_test.go

@@ -251,6 +251,7 @@ func runInitNewConfig(t *testing.T, testSuite testInitNewConfigDescriptor, baseR
 		return
 	}
 
+	// #nosec G703 -- configFile path is created by test setup, not user input
 	content, err := os.ReadFile(configFile.Name())
 	if err != nil {
 		assert.NoError(t, err)

utils/cliutils/utils.go

@@ -668,6 +668,7 @@ func getLatestCliVersionFromGithubAPI() (githubVersionInfo githubResponse, err e
 func doHttpRequest(client *http.Client, req *http.Request) (resp *http.Response, body []byte, err error) {
 	const maxResponseSize = 10 * 1024 * 1024 // 10MB limit
 	req.Close = true
+	// #nosec G704 -- URL is validated and constructed from CLI configuration, not arbitrary user input
 	resp, err = client.Do(req)
 	if errorutils.CheckError(err) != nil {
 		return

utils/cliutils/utils_test.go

@@ -365,6 +365,7 @@ type redirectingTransport struct {
 func (t *redirectingTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if req.URL.String() == t.targetURL {
 		// Create a new request to the redirect URL
+		// #nosec G704 -- redirectURL is a controlled test value, not user input
 		redirectReq, err := http.NewRequest(req.Method, t.redirectURL, req.Body)
 		if err != nil {
 			return nil, err